Hi Charles,
Thanks again fro all the great work on Eiger and DachStein, they are
both working really well for me. After a bit of fighting and learning
of ipchains, I gotten a couple of sucesses here while trying to fix
some problems.
The first was that I could not port forward SSH to an internal box
with either Eiger or Dach. I had the proper stuff uncommented in
/etc/network.conf, but it just didn't work. I ended up having to do
the following:
ipchains -I input -i eth0 -j ACCEPT -p tcp -s 0/0 -d 0/0 24
to get the rule early enough in the input chain to be effective. But
I think this is actually too early now, since I'm bypassing some of
the good input rules.
My ipchains ruleset looks like this now:
# ipchains -L input
Chain input (policy DENY):
target prot opt sourcedestination ports
ACCEPT tcp -- anywhere anywhere any - 24
DENY udp -- 10.2.0.1 anywhere any - bootps
DENY icmp l- anywhere anywhere redirect
DENY icmp l- anywhere anywhere
timestamp-request
DENY icmp l- anywhere anywhere timestamp-reply
DENY all l- 0.0.0.0 anywhere n/a
DENY all l- 255.255.255.255 anywhere n/a
DENY all l- localnet/8 anywhere n/a
DENY all l- BASE-ADDRESS.MCAST.NET/4 anywhere n/a
DENY all -- 10.0.0.0/8 anywhere n/a
DENY all -- 172.16.0.0/12anywhere n/a
DENY all -- 192.168.0.0/16 anywhere n/a
DENY all l- 0.0.0.0/8anywhere n/a
DENY all l- 128.0.0.0/16 anywhere n/a
DENY all l- 191.255.0.0/16 anywhere n/a
DENY all l- 192.0.0.0/24 anywhere n/a
DENY all l- 223.255.255.0/24 anywhere n/a
DENY all l- 240.0.0.0/4 anywhere n/a
DENY all l- 192.168.1.0/24 anywhere n/a
DENY all l- 24-240-176-224.hsacorp.net anywhere n/a
REJECT all l- anywhere localnet/8n/a
REJECT all l- anywhere 192.168.1.0/24n/a
REJECT tcp -- anywhere anywhere any -
netbios-ns
REJECT tcp -- anywhere anywhere any - 135
REJECT udp -- anywhere anywhere any -
netbios-ns
REJECT udp -- anywhere anywhere any - 135
REJECT tcp -- anywhere anywhere any -
netbios-dgm:netbios-ssn
REJECT udp -- anywhere anywhere any -
netbios-dgm
REJECT udp -- anywhere anywhere
netbios-ns:netbios-dgm - any
REJECT udp -- anywhere anywhere 135 - any
REJECT tcp -- anywhere anywhere
netbios-ns:netbios-ssn - any
REJECT tcp -- anywhere anywhere 135 - any
ACCEPT tcp -- anywhere anywhere any - ssh
REJECT tcp -- anywhere anywhere any - auth
ACCEPT tcp -- anywhere anywhere any -
1024:65535
REJECT udp l- anywhere anywhere any -
snmp:snmp-trap
ACCEPT udp -- anywhere anywhere any - domain
ACCEPT udp -- anywhere anywhere any - bootpc
DENY udp -- anywhere anywhere any - bootps
ACCEPT udp -- anywhere anywhere any -
1024:65535
ACCEPT icmp -- anywhere anywhere any - any
ACCEPT ospf -- anywhere anywhere n/a
DENY all l- anywhere anywhere n/a
REJECT udp l- anywhere anywhere any -
snmp:snmp-trap
REJECT udp l- anywhere anywhere snmp:snmp-trap
- any
ACCEPT all -- anywhere anywhere n/a
The second problem was that I was getting tons and tons of the
following messages in the /var/log/[messages,kern.log,syslog] files:
Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67
255.255.255.255:68 L=350 S=0x00 I=22593 F=0x T=255 (#9)
Dec 16 20:42:22 jfsgw kernel: